Harden sandbox audit and release verification

Author: SecAI-Hub

.github/workflows/ci.yml

@@ -269,7 +269,7 @@ jobs:
           # Verify release workflow exists and contains required supply-chain steps
           test -f .github/workflows/release.yml || { echo "FAIL: release.yml missing"; exit 1; }
 
-          for keyword in "sbom-action" "attest-build-provenance" "cosign" "cyclonedx" "SHA256SUMS"; do
+          for keyword in "sbom-action" "attest-build-provenance" "cosign" "cyclonedx" "SHA256SUMS" "generate_custom_python_vex.py" ".vex.json"; do
             grep -q "${keyword}" .github/workflows/release.yml || \
               { echo "FAIL: release.yml missing '${keyword}'"; exit 1; }
             echo "OK: release.yml contains '${keyword}'"
@@ -363,6 +363,42 @@ jobs:
           "
           echo "=== Upstreams manifest check: PASSED ==="
 
+  sandbox-vex-smoke:
+    name: Sandbox OpenVEX Smoke
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Build sandbox images required for OpenVEX generation
+        run: docker compose -f deploy/sandbox/compose.yaml --profile diffusion build ui agent search-mediator diffusion
+
+      - name: Generate sandbox OpenVEX document
+        run: |
+          python scripts/security/generate_custom_python_vex.py \
+            --image secai-sandbox-ui:latest \
+            --image secai-sandbox-agent:latest \
+            --image secai-sandbox-search-mediator:latest \
+            --image secai-sandbox-diffusion:latest \
+            --include-unicode-locale-glibc \
+            --output custom-python.vex.json
+
+      - name: Validate generated OpenVEX document
+        run: |
+          test -f custom-python.vex.json
+          jq -e '."@context" == "https://openvex.dev/ns/v0.2.0" and (.statements | type == "array") and (.statements | length > 0)' custom-python.vex.json >/dev/null
+
+      - name: Upload OpenVEX artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sandbox-vex-smoke
+          path: custom-python.vex.json
+
   security-regression:
     name: Security Regression Tests
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -44,6 +44,7 @@ jobs:
             "Dependency Vulnerability Audit"
             "Test Count Drift Check"
             "Documentation Validation"
+            "Sandbox OpenVEX Smoke"
           )
 
           PASS=0
@@ -148,6 +149,34 @@ jobs:
           name: python-sboms
           path: dist/
 
+  build-sandbox-vex:
+    name: Build Sandbox OpenVEX Evidence
+    needs: [preflight]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build sandbox images required for VEX generation
+        run: docker compose -f deploy/sandbox/compose.yaml --profile diffusion build ui agent search-mediator diffusion
+
+      - name: Generate sandbox OpenVEX document
+        run: |
+          mkdir -p dist
+          python3 scripts/security/generate_custom_python_vex.py \
+            --image secai-sandbox-ui:latest \
+            --image secai-sandbox-agent:latest \
+            --image secai-sandbox-search-mediator:latest \
+            --image secai-sandbox-diffusion:latest \
+            --include-unicode-locale-glibc \
+            --document-id "https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/custom-python.vex.json" \
+            --output dist/custom-python.vex.json
+
+      - name: Upload OpenVEX artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sandbox-vex
+          path: dist/custom-python.vex.json
+
   build-iso:
     name: Build ISO
     needs: [preflight]
@@ -306,7 +335,7 @@ jobs:
   provenance:
     name: SLSA Provenance & Attestation
     runs-on: ubuntu-latest
-    needs: [build-go, build-python, build-iso, build-usb-image]
+    needs: [build-go, build-python, build-sandbox-vex, build-iso, build-usb-image]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -364,6 +393,15 @@ jobs:
               '. + [$name]')
           done
 
+          # Collect OpenVEX filenames
+          VEX_JSON="[]"
+          for vex in *.vex.json; do
+            [ -f "$vex" ] || continue
+            VEX_JSON=$(echo "$VEX_JSON" | jq \
+              --arg name "$vex" \
+              '. + [$name]')
+          done
+
           # Read image digest
           IMAGE_DIGEST="unknown"
           if [ -f IMAGE_DIGEST ]; then
@@ -383,6 +421,7 @@ jobs:
             --arg image_ref_pinned "$IMAGE_REF_PINNED" \
             --argjson binaries "$BINARIES_JSON" \
             --argjson sboms "$SBOMS_JSON" \
+            --argjson vex "$VEX_JSON" \
             --arg provenance_type "https://slsa.dev/provenance/v1" \
             --arg checksum_file "SHA256SUMS" \
             --arg signature_file "SHA256SUMS.sig" \
@@ -400,6 +439,7 @@ jobs:
               },
               binaries: $binaries,
               sboms: $sboms,
+              vex: $vex,
               provenance: {
                 type: $provenance_type,
                 attested: true
@@ -480,6 +520,7 @@ jobs:
           files: |
             dist/*-linux-*
             dist/*-sbom.cdx.json
+            dist/*.vex.json
             dist/SHA256SUMS
             dist/SHA256SUMS.sig
             dist/IMAGE_DIGEST

.gitignore

@@ -34,3 +34,7 @@ dist/
 .DS_Store
 Thumbs.db
 /.bluebuild-scripts_*
+
+# Sandbox bundle
+/deploy/sandbox/.env
+/deploy/sandbox/runtime/

Makefile

@@ -31,6 +31,16 @@ help: ## Show available targets
 verify-release: ## Verify a release image (IMAGE=ghcr.io/...)
 	@files/scripts/verify-release.sh "$(IMAGE)"
 
+.PHONY: sandbox-vex
+sandbox-vex: ## Generate local sandbox OpenVEX document (requires built sandbox images)
+	python scripts/security/generate_custom_python_vex.py \
+	  --image secai-sandbox-ui:latest \
+	  --image secai-sandbox-agent:latest \
+	  --image secai-sandbox-search-mediator:latest \
+	  --image secai-sandbox-diffusion:latest \
+	  --include-unicode-locale-glibc \
+	  --output custom-python.vex.json
+
 .PHONY: test
 test: test-go test-python ## Run all tests (Go + Python)
 

README.md

@@ -69,13 +69,14 @@ The setup wizard guides you through privacy profile selection, system verificati
 | **Bootstrap** (Recommended) | ~30 min | Real PC or VM | Install Fedora Silverblue, run script, reboot |
 | **Portable USB** | ~10 min | Run directly from a USB stick | Flash the release `*-usb.raw.xz` artifact to removable media |
 | **Build VM locally** | ~45 min | VirtualBox / VMware / KVM | `scripts/vm/build-qcow2.sh` builds a QCOW2 from the OCI image |
+| **Sandbox Stack** | ~10 min | Evaluate on an existing workstation | Compose-based control-plane bundle with explicit lower-assurance limits |
 | **Development** | ~10 min | Service development only | No OS features; see [dev guide](docs/install/dev.md) |
 
-See [docs/install/quickstart.md](docs/install/quickstart.md) for full step-by-step instructions, VM build details, and verification commands.
+See [docs/install/quickstart.md](docs/install/quickstart.md) for full step-by-step instructions, including the [sandbox path](docs/install/sandbox.md), VM build details, and verification commands.
 
 For production deployments with digest pinning: `sudo bash secai-bootstrap.sh --digest sha256:RELEASE_DIGEST`
 
-See [bare metal](docs/install/bare-metal.md) | [virtual machine](docs/install/vm.md) | [development](docs/install/dev.md) | [recovery](docs/install/recovery-bootstrap.md)
+See [bare metal](docs/install/bare-metal.md) | [virtual machine](docs/install/vm.md) | [sandbox](docs/install/sandbox.md) | [development](docs/install/dev.md) | [recovery](docs/install/recovery-bootstrap.md)
 
 ### Get Your First Model
 

build/cpython-patches/0001-cve-2026-4786-webbrowser-action-bypass.patch

@@ -0,0 +1,23 @@
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 9ead2990e818e5..52cd91d3da206d 100644
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -274,7 +274,6 @@ class GenericBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -288,8 +287,10 @@ class GenericBrowser(BaseBrowser):
+             raise Error("Bad 'new' parameter to open(); "
+                         f"expected 0, 1, or 2, got {new}")
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
++        self._check_url(url.replace("%action", action))
++
++        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise, url)

build/cpython-patches/0002-cve-2026-6100-decompressor-uaf.patch

@@ -0,0 +1,36 @@
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 7b8cbf3ed96184..84d7a41ebc24c5 100644
+--- a/Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -569,6 +569,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 3c391675d7b93e..00ee68dcea2d0d 100644
+--- a/Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1100,6 +1100,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index f67434ecdc908c..9c5820fbe97a6b 100644
+--- a/Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1669,6 +1669,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+     return result;
+ 
+ error:
++    self->zst.next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }

build/cpython-patches/0003-cve-2026-3298-windows-recvfrom-boundary-check.patch

@@ -0,0 +1,16 @@
+diff --git a/Modules/overlapped.c b/Modules/overlapped.c
+index 822e1ce4bdc28d..51aee5afd35b6d 100644
+--- a/Modules/overlapped.c
++++ b/Modules/overlapped.c
+@@ -1910,6 +1910,11 @@ _overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self,
+     }
+ #endif
+ 
++    if (bufobj->len < (Py_ssize_t)size) {
++        PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length of the buffer");
++        return NULL;
++    }
++
+     wsabuf.buf = bufobj->buf;
+     wsabuf.len = size;
+ 

build/cpython-patches/0004-cve-2026-1502-http-tunnel-header-validation.patch

@@ -0,0 +1,37 @@
+From 05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 Mon Sep 17 00:00:00 2001
+From: Seth Larson <seth@python.org>
+Date: Fri, 10 Apr 2026 10:21:42 -0500
+Subject: [PATCH] gh-146211: Reject CR/LF in HTTP tunnel request headers
+
+---
+ Lib/http/client.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 73c3256734a64f..1e1a535c4c4eb1 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -976,13 +976,22 @@ def _wrap_ipv6(self, ip):
+         return ip
+ 
+     def _tunnel(self):
++        if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
++            raise ValueError('Tunnel host can\'t contain control characters %r'
++                             % (self._tunnel_host,))
+         connect = b"CONNECT %s:%d %s\r\n" % (
+             self._wrap_ipv6(self._tunnel_host.encode("idna")),
+             self._tunnel_port,
+             self._http_vsn_str.encode("ascii"))
+         headers = [connect]
+         for header, value in self._tunnel_headers.items():
+-            headers.append(f"{header}: {value}\r\n".encode("latin-1"))
++            header_bytes = header.encode("latin-1")
++            value_bytes = value.encode("latin-1")
++            if not _is_legal_header_name(header_bytes):
++                raise ValueError('Invalid header name %r' % (header_bytes,))
++            if _is_illegal_header_value(value_bytes):
++                raise ValueError('Invalid header value %r' % (value_bytes,))
++            headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
+         headers.append(b"\r\n")
+         # Making a single send() call instead of one per line encourages
+         # the host OS to use a more optimal packet size instead of

build/cpython-patches/0005-cve-2025-15366-imap-control-char-rejection.patch

@@ -0,0 +1,31 @@
+From 6262704b134db2a4ba12e85ecfbd968534f28b45 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:45:42 -0600
+Subject: [PATCH] gh-143921: Reject control characters in IMAP commands
+
+---
+ Lib/imaplib.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/imaplib.py b/Lib/imaplib.py
+index 22a0afcd981519..cb3edceae0d9f1 100644
+--- a/Lib/imaplib.py
++++ b/Lib/imaplib.py
+@@ -129,7 +129,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -1105,6 +1105,8 @@ def _command(self, name, *args):
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
++            if _control_chars.search(arg):
++                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal